Skip to content

fix(theming): Harden admin theming settings #50293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AndyScherzinger merged 3 commits into from
Jan 27, 2025
Merged

fix(theming): Harden admin theming settings #50293

AndyScherzinger merged 3 commits into from
Jan 27, 2025

Conversation

@susnux
Copy link
Contributor

@susnux susnux commented Jan 21, 2025
edited
Loading

Summary

Ensure there is no " within the link to prevent XSS.
This is not a security issue as per our threat model as this can only be set by admin and admin can do everything.
But its hardens it (e.g. accidentally using an URL containing a double quote).

Checklist

@susnux susnux added this to the Nextcloud 31 milestone Jan 21, 2025
@susnux susnux requested review from Pytal, artonge and nfebe January 21, 2025 15:06
@susnux
Copy link
Contributor Author

susnux commented Jan 21, 2025

/backport to stable30

@susnux
Copy link
Contributor Author

susnux commented Jan 21, 2025

/backport to stable29

@Altahrim Altahrim mentioned this pull request Jan 21, 2025
Merged
@susnux susnux force-pushed the fix/harden-admin-settings branch from 2442f6b to 44b8d85 Compare January 21, 2025 15:48
@Altahrim Altahrim mentioned this pull request Jan 23, 2025
Merged
@AndyScherzinger
Copy link
Member

AndyScherzinger commented Jan 25, 2025

/backport to stable31

susnux added 3 commits January 27, 2025 14:20
@susnux
fix(theming): Harden admin web link settings
ff835fa 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux
fix(theming): Ensure to only send valid URLs to backend
4dac813 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux
chore: Compile assets
8aa3a15 
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
@susnux susnux force-pushed the fix/harden-admin-settings branch from 44b8d85 to 8aa3a15 Compare January 27, 2025 13:22
@AndyScherzinger AndyScherzinger merged commit 6dc83b9 into master Jan 27, 2025
190 checks passed
@AndyScherzinger AndyScherzinger deleted the fix/harden-admin-settings branch January 27, 2025 17:55
This was referenced Jan 27, 2025
Merged
Merged
Merged
@nextcloud-bot nextcloud-bot mentioned this pull request Aug 19, 2025
Merged
@skjnldsv skjnldsv removed this from the Nextcloud 32 milestone Sep 28, 2025
@skjnldsv skjnldsv modified the milestones: Nextcloud 33, Nextcloud 32 Sep 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artonge artonge artonge approved these changes

@Pytal Pytal Pytal approved these changes

@nfebe nfebe Awaiting requested review from nfebe

Assignees

No one assigned

Labels

3. to review Waiting for reviews bug feature: theming

Projects

None yet

Milestone

Nextcloud 32

Development

Successfully merging this pull request may close these issues.

6 participants

@susnux @AndyScherzinger @artonge @Pytal @skjnldsv